Freestyle, a randomized version of ChaCha for …Freestyle, a randomized version of ChaCha for...

Freestyle, a randomized version of ChaCha for resisting offline brute-force anddictionary attacks

P. ARUN BABU, Robert Bosch Center for Cyber-physical Systems, Indian Institute of Science, India

JITHIN JOSE THOMAS, Department of Electrical and Computer Engineering, Texas A&M University, USA

This paper introduces Freestyle, a randomized, and variable round version of the ChaCha cipher. Freestyle demonstrates the conceptof hash based halting condition, where a decryption attempt with an incorrect key is likely to take longer time to halt. This makesit resistant to key-guessing attacks i.e. brute-force and dictionary based attacks. Freestyle uses a novel approach for ciphertextrandomization by using random number of rounds for each block of message, where the exact number of rounds are unknown tothe receiver in advance. Due to its inherent random behavior, Freestyle provides the possibility of generating up to 2256 differentciphertexts for a given key, nonce, and message; thus resisting key and nonce reuse attacks. This also makes cryptanalysis throughknown-plaintext, chosen-plaintext, and chosen-ciphertext attacks difficult in practice. Freestyle is highly customizable, which makesit suitable for both low-powered devices as well as security-critical applications. It is ideal for: (i) applications that favor ciphertextrandomization and resistance to key-guessing and key reuse attacks; and (ii) situations where ciphertext is in full control of anadversary for carrying out an offline key-guessing attack.

CCS Concepts: • Security and privacy→ Block and stream ciphers; • Theory of computation→ Cryptographic primitives;

Additional Key Words and Phrases: Brute-force resistant ciphers, Dictionary based attacks, Key-guessing penalty, Probabilisticencryption, Freestyle, ChaCha

P. Arun Babu and Jithin Jose Thomas. 2018. Freestyle, a randomized version of ChaCha for resisting offline brute-force and dictionaryattacks. . 9, 4, Article 39 (March 2018), 30 pages. https://doi.org/0000001.0000001

1 INTRODUCTION

A randomized (aka probabilistic) encryption scheme involves a cipher that uses randomness to generate differentciphertexts for a given key, nonce (a.k.a. initial vector), andmessaдe . The goal of randomization is to make cryptanalysisdifficult and a time consuming process. This paper presents the design and analysis of Freestyle, a highly customizable,randomized, and variable-round version of ChaCha cipher[Bernstein 2008a]. ChaCha20 (i.e. ChaCha with 20 rounds)is one of the modern, popular (for TLS [Langley et al. 2016] and SSH [Miller 2018; Miller and Josefsson 2018]), andfaster symmetric stream cipher on most machines[cha 2017; Bursztein 2014]. Even on lightweight ciphers, realisticbrute-force attacks with key sizes ≥ 128 bits is not feasible with current computational power. However, algorithms andapplications that have lower key-space due to: (i) generation of keys from a poor (pseudo-)random number generator[cve 2017; Bello et al. 2008; Heninger et al. 2012; Kim et al. 2013; Lenstra et al. 2012; Yilek et al. 2009]; (ii) weak passwords[Lorente et al. 2015] and poor implementations of password based key derivation [Ruddick and Yan 2016; Visconti et al.2015]; and, (iii) poor protocol or cryptographic implementations [Adrian et al. 2015; Beurdouche et al. 2015; Vanhoef

Authors’ addresses: P. Arun Babu, Robert Bosch Center for Cyber-physical Systems, Indian Institute of Science, CV Raman road, Bengaluru, Karnataka,560012, India, [email protected]; Jithin Jose Thomas, Department of Electrical and Computer Engineering, Texas A&M University, College Station,Texas, USA, [email protected].

© 2018Manuscript

1

https://doi.org/0000001.0000001

2 Arun Babu and Jithin Jose

and Piessens 2017] are prone to key-guessing attacks (brute-force and dictionary based attacks). Such attacks are alsobecoming increasingly feasible due to steady advances in the areas of GPUs [Agosta et al. 2013; Chiriaco et al. 2017; Guet al. 2017], specialized hardware for cryptography [Gürkaynak et al. 2017; Javeed et al. 2016; Khalid et al. 2017; Liuet al. 2017; Malvoni et al. 2014; Wiemer and Zimmermann 2014], and memories in terms of storage size and in-memorycomputations [Jain et al. 2017; Kim et al. 2016; Reis et al. 2018; Sebastian et al. 2017].

Techniques such as introducing a delay between incorrect key/password attempts, multi-factor authentication, andCAPTCHAs (Completely Automated Public Turing test to tell Computers and Humans Apart) are being used to resistbrute-force attacks over the network (i.e. on-line brute-force attack). However, such techniques cannot be used if theciphertext is in full control of the adversary (i.e. offline brute-force attack); for example: encrypted data gathered from awireless channel, or lost/stolen encrypted files/disks. To resist offline brute-force attacks, key-stretching and sloweralgorithms[Buchanan 2015] are preferred. Although, such techniques are useful, they are much slower on low-powereddevices, and also slow down genuine users.

1.1 Our contribution

This paper makes three main contributions: (i) We demonstrate the use of bounded hash based halting condition, whichmakes key-guessing attacks less effective by slowing down the adversary, but remaining relatively computationallylight-weight for genuine users. We introduce the key guessing penalty, which acts as a measure for a cipher’s resistanceto key-guessing attacks. The physical significance of KGP is that the adversary would require at least KGP timescomputational power than a genuine user to launch an effective key-guessing attack; (ii) We demonstrate a novelapproach for ciphertext randomization by using random number of rounds for each block of message; where the exactnumber of rounds are unknown to the receiver in advance; (iii) We introduce the concept of non-deterministic CTR

mode of operation and demonstrate the possibility of using the random round numbers to generate up to 2256 differentciphertexts - even though the key, nonce , andmessaдe are the same. The randomization makes the cipher resistant tokey re-installation attacks such as KRACK [Vanhoef and Piessens 2017] and cryptanalysis by XOR of ciphertexts in theevent of the key and nonce being reused.

The interesting feature of Freestyle’s decryption algorithm is: that it is designed to be computationally light-weightfor a user with a correct key; but, for an adversary with an incorrect key, the decryption algorithm is likely to take longertime to halt. Thus, each key-guessing attempt is likely to be computationally expensive and time consuming.

The rest of the paper is structured as follows: Table 1 lists the notations used in the paper; section 2 presents thebackground information on ChaCha cipher and its variants; section 3 describes the Freestyle cipher; section 4 presentsresults and cryptanalysis of Freestyle cipher; section 5 presents related work; and section 6 concludes the paper.

2 CHACHA CIPHER AND VARIANTS

ChaCha20[Bernstein 2008a] is a variant of Salsa20[Bernstein 2005a, 2008b], a stream cipher. It uses 128-bit constant ,256-bit key, 64-bit counter , and 64-bit nonce to form an initial cipher-state denoted by S(0), as:

constant[0], constant[1], constant[2], constant[3]

key[0], key[1], key[2], key[3]key[4], key[5], key[6], key[7]

counter [0], counter [1], nonce[0], nonce[1]

Freestyle, a randomized version of ChaCha for resisting offline brute-force and dictionary attacks 3

Table 1. List of symbols

Notation DescriptionRmin Indicates the minimum number of rounds to be used for encryption/decryption. Rmin ∈ [1, 255].Rmax Indicates the maximum number of rounds to be used for encryption/decryption. Rmax ∈ [Rmin + 1, 255].R Number of rounds used to encrypt the current block of message. R = random(Rmin, Rmax )

Ri Number of rounds used to encrypt ith block of message. Ri = random(Rmin, Rmax ) and i ≥ 0.r The current round number. r ∈ [1, R]

hf () Freestyle hash function which generates an 8-bit hash from a 144-bit input.HI Round intervals at which an 8-bit hash has to be computed. HI is set to 1 at cipher initialization;

and during encryption/decryption HI is set to дcd (Rmin, Rmax ).Pb The number of pepper bits to be used during cipher initialization. Pb ∈ [8, 32]Ih The number of initial hashes/round-numbers to be used for cipher initialization. Ih ∈ [7, 56]Pr The number of rounds to be pre-computedCp The 32-bit cipher-parameter created by concatenating Rmin, Rmax , HI , Pb , Ih, Pr

pepper The number of iterations required for cipher initialization. pepper = random(0, 2Pb − 1).R∗i The number of rounds computed using the expected hash and pepper for ith block ofmessaдe .

rand The 256-bit value that is generated at the sender side and is to be computed at the receiver side.E[pepper ] The expected value of pepper .E[R+] The expected number of rounds executed by an user when an incorrect key or pepper is used.E[R] The expected number of rounds executed by a genuine user to encrypt/decrypt a block ofmessaдe .

If an uniform (P)RNG is used, then E[R] =Rmin + Rmax

2 .

v (r ) The value of v after r rounds of Freestyle. If v (0) is not explicitly defined, then v (0) = 0.v[n] nth element of v .a ⊕ b Bit-wise XOR of a and b .a ⊞ b Addition of a and b modulo 232 .|v | The length of v in bits.

Nb The number of blocks in amessaдe . Nb =⌈|messaдe |

512

⌉

Prn (X = 1) The probability of getting a valid round number at the nth trial, when using an incorrect key or pepper .

Nc The total number of ciphertexts possible for a given: key , nonce , andmessaдe .Nr The number of ways a block of message can be encrypted using random number of rounds (R).

Nr =(Rmax − Rmin

HI+ 1

)t ime(o) The expected time taken to execute the operation ’o’.

S The 512-bit cipher-state for a given block ofmessaдe .counter The counter in the CTR mode of operation.null An empty string.R A random number that is independent of the key , nonce ,messaдe , and pepper .

ChaCha20 uses 10 double-rounds (or 20 rounds) on S(0); where each of the double-round consists of 8 quarter rounds(QR) defined as:

Odd round Even round

QR (S [0], S [4], S [ 8], S [12]) QR (S [0], S [5], S [10], S [15])QR (S [1], S [5], S [ 9], S [13]) QR (S [1], S [6], S [11], S [12])QR (S [2], S [6], S [10], S [14]) QR (S [2], S [7], S [ 8], S [13])QR (S [3], S [7], S [11], S [15]) QR (S [3], S [4], S [ 9], S [14])

(1)

where the 16 elements of the cipher-state matrix are denoted in row-wise fashion, using an index in the range [0,15].And the quarter-round QR(a,b, c,d) is defined as:

a ← a ⊞ b; d ← d ⊕ a; d ← d ≪ 16;c ← c ⊞ d ; b ← b ⊕ c; b ← b ≪ 12;a ← a ⊞ b; d ← d ⊕ a; d ← d ≪ 8;c ← c ⊞ d ; b ← b ⊕ c; b ← b ≪ 7;

(2)


After 20 rounds, the initial state (S(0)) is added to the current state (S(20)) to generate the final state. The final state isthen serialized in the little-endian format to form the 512-bit key-stream, which is then XOR-ed with a block (512 bits)of plaintext/ciphertext to generate a block of ciphertext/plaintext. The above operations are performed for each blockofmessaдe to be encrypted/decrypted.

ChaCha is a simple and efficient ARX (Add-Rotate-XOR) cipher, and is not sensitive to timing attacks. ChaCha hastwo main flavors with reduced number of rounds i.e. with 8 and 12 rounds. ChaCha12 is considered secure enough asthere are no known attacks against it yet [Choudhuri and Maitra 2016]. ChaCha20 has two main variants: (i) IETF’sversion of ChaCha20 [Langley et al. 2016; Nir and Langley 2015] which uses a 32-bit counter (instead of 64-bit) and96-bit nonce (instead of 64-bit); and (ii) XChaCha20 [Denis 2018], which uses 192-bit nonce (instead of 64-bit), where arandomly generated nonce is considered safe enough [lib 2017]. The larger nonce in XChaCha20 makes the probabilityof nonce reuse low.

3 THE FREESTYLE CIPHER

The Freestyle’s core is similar to the IETF’s version of ChaCha, but uses hash based halting condition. Traditionallyciphers are designed to use fixed number of rounds in the encryption and decryption process. Even in variable roundciphers, the number of rounds is well known in advance. This makes the cipher to take nearly the same amount oftime to execute the decryption function, irrespective of the key being correct or incorrect. This is advantageous for anadversary if the cipher is lightweight and parallelizable. To resist such attacks, Freestyle uses the concept of hash basedhalting condition.

It works on the following principle: a sender encrypts a block of message using a random number of round (R),which is never shared with the receiver. However, the sender along with the ciphertext shares the hash of the cipherstate (or partial cipher-state) after executing R rounds. The hash is sent in cleartext; and the receiver can compute Rusing the correct key, and the received hash. This expected hash acts as a halting condition for the decryption process;i.e. the receiver has to keep executing the decryption algorithm till the computed hash matches the expected hash. Foran adversary using brute-force or dictionary based attack, since the key is incorrect, during the decryption process, thehash is expected to take longer time to match. This asymmetry makes offline brute-force and dictionary based attacksless efficient.

The proposed approach makes the assumption that: (i) the hash function is secure enough, that from the hash itis computationally infeasible to compute the number of rounds, key, or any other secret information; (ii) the roundnumber (R) is generated using a good uniform (P)RNG like hardware random number generator or cryptographicallysecure pseudo-random number generator (CPRNG) (e.g. arc4random [De Raadt 2014]).To achieve hash based halting condition and ciphertext randomization, Freestyle uses the following 5 parameters:

(1) Rmin ∈ [1, 255], indicating the minimum number of rounds to be used for encryption/decryption. Rmin isrecommended to be ≥ 8; however for security-critical applications: Rmin ≥ 12 is preferred.

(2) Rmax ∈ [Rmin + 1, 255], indicating the maximum number of rounds to be used for encryption/decryption. UsingRmin and Rmax , for each block ofmessaдe , a round number (R) is generated randomly by the sender which willbe used to encrypt the current block of message.

(3) Pb ∈ [8, 32], indicating the number of pepper bits to be used during cipher initialization. Pb determines thenumber of iterations that will be needed to initialize the cipher. The pepper serves the same function as salt ,


Rmin Rmax Pb Ih Pr(8 bits) (8 bits) (6 bits) (6 bits) (4 bits)

Fig. 1. The 32-bit cipher-parameter (Cp )

however it may not be stored along with the hash or ciphertext (i.e. can be forgotten by the sender after use)[Forler et al. 2013; Kedem and Ishihara 1999]. Pb ≥ 16 is recommended for security-critical applications.

(4) Ih ∈ [7, 56], indicates the number of initial random-rounds to be used for cipher initialization. Ih determines thenumber of possible ciphertexts that can be generated for a given key,nonce , andmessaдe . Ih ≥ 28 is recommendedfor security-critical applications.

(5) Pr ∈ [0, 15] and Pr ≤ (Rmin − 4), indicates the number of Freestyle rounds to be pre-computed.

Using the values of Rmin and Rmax , a hash interval denoted by HI ∈ [1,Rmin ] is computed. HI indicates theround intervals at which an 8-bit hash of partial cipher-state must be computed. The value of HI is set to 1 duringcipher-initialization and is set to дcd(Rmin ,Rmax ) during encryption and decryption. For a given Rmin and Rmax , theдcd(Rmin ,Rmax ) is the optimal value of hash interval possible for performance. At the time of encryption, the sendercomputes the hash after every HI rounds; and at the end of R rounds the hash is sent to the receiver. On the other hand,while decrypting a block of message, the receiver computes the hash after every HI rounds; and decryption is stoppedonly if it matches with the received hash. While decrypting a block of message, if the computed hash does not matchthe expected hash even after executing Rmax rounds, then either the key, nonce , or one of the parameters provided bythe receiver is incorrect.Remark 1 It must be noted that hashes are computed only after executing Rmin rounds. This avoids accidentallyterminating after executing fewer than expected number of rounds.Remark 2 The performance of Freestyle is ∝ HI × Pr

Rmin × Rmax × Pb × Ih. Thus the parameters must be carefully chosen

based on the required security level and performance.

3.1 The initial cipher-state (S(0))

The initial cipher-state of Freestyle, denoted by S(0) (equation 3) is a 4×4 matrix of 32-bit words consisting of: 128-bitconstant , 256-bit key, 32-bit counter , and 96-bit nonce . Unlike ChaCha[Bernstein 2008a], the counter size has beenreduced to 32-bit as in practice most of the protocols such as the SSH transport protocol [Ylonen and Lonvick 2006]recommend re-keying after 1GB of data sent/received.

Freestyle’s initial cipher-state is similar to the IETF’s version of ChaCha, except that the constants are modifiedusing the cipher-parameter (Cp ). Cp is formed by concatenating all the 5 parameters i.e. Rmin , Rmax , Pb , Ih , and Pr

to generate a unique 32-bit string as shown in the figure 1. The Cp is then XOR-ed with the constant[0] (equation 3).This step makes encryption with one cipher-parameter incompatible with other cipher-parameters by design; thus,cryptanalysis data collected from a cipher with weaker cipher-parameter cannot be reused against a cipher with strongercipher-parameter.


S(0) =

©«constant[0]⊕

Cp

ª®®®¬ , constant[1], constant[2], constant[3]

key[0], key[1], key[2], key[3]

key[4], key[5], key[6], key[7]

counter , nonce[0], nonce[1], nonce[2]

(3)

3.2 Initialization for encryption

After the initial cipher-state (S(0)) is computed, the following temporary configuration is set irrespective of the cipher-parameter (Cp ):

Rmin = 8, Rmax = 32, HI = 1, and Pr = 4 (4)

This is done to ensure there is enough entropy even if weaker values of Rmin and Rmax are set by the user. This stepalso helps in cases where the parameters can be downgraded in Man in the middle (MiTM) attacks such as Logjam[Adrian et al. 2015].

As the number of pre-computed rounds (Pr ) is now set to 4; 4 rounds of Freestyle are pre-computed using 0 as thecounter ; which results in S(4). After which, a random pepper from [0, 2Pb ) is generated by the sender and added toS(4)[0] to form the intermediate cipher-state (S∗) as shown in equation 5.

S∗ =

©«S(4)[0]⊞

pepper

ª®®®¬ , S(4)[1], S(4)[2] S(4)[3]

S(4)[4], S(4)[5], S(4)[6] S(4)[7]S(4)[8], S(4)[9], S(4)[10] S(4)[11]S(4)[12], S(4)[13], S(4)[14] S(4)[15]

(5)

After which, S∗[12] is used as the counter in CTR mode to generate Ih number of cipher states. Here, as 4 roundshave been already been pre-computed, each of the Ih blocks will now only require (Ri − 4) additional rounds (where,Ri = random(8, 32),∀i ∈ [0, Ih )). Then, from each of the Ih number of cipher states, Ih number of expected hashes arecomputed using Freestyle’s hash function (figure 2, code in Appendix - A).

The above hashes are used for the hash based halting condition described earlier in section 3. Freestyle’s hashfunction generates an 8-bit hash using: (i) the 8-bit current round number (r ), (ii) the 128 bits from the anti-diagonalelements of the current cipher-state (S(r )), and (iii) the 8-bit previous hash (i.e. hash(r−HI )).

It must be noted that at this point only Ih number of hashes are generated, and no encryption is performed yet.The sender then using the Ih number of random round numbers: {R0,R1, ...,RIh−1}, a 256-bit rand is computed usingADD-XOR-Rotate instructions as shown in figure 3. The number of possible values of rand is dependent on the Ih value.


r hash(r−HI)

� ⊕�S(r)[3]32

8 8

⊕

≪16

� S(r)[6]32⊕

≪12

S(r)[9] �32 ⊕

≪8

� S(r)[12]32⊕

≪7

32

hash(r)

8 LSBs

Fig. 2. The Freestyle hash function - hf (), for the round r (the size of variables are in bits). Note that hash(Rmin−HI ) = 0.

If Ih = 7, Freestyle can generate 232 possible values of rand ; where as if Ih = 56, Freestyle can generate 2256 possiblevalues of rand . The rand value is then used to modify the current cipher-state (S∗) as shown in equation 6. This makesFreestyle resistant to chosen IV attacks [Maitra 2016] and cryptanalysis due to potential biases and Probabilistic NeutralBits (PNBs) [Choudhuri and Maitra 2016].

S∗ ←

S∗[0],©«

S∗[1]⊕

rand[1]

ª®®®¬ ,©«

S∗[2]⊕

rand[2]

ª®®®¬ ,©«

S∗[3]⊕

rand[3]

ª®®®¬©«

S∗[4]⊕

rand[4]

ª®®®¬ ,©«

S∗[5]⊕

rand[5]

ª®®®¬ ,©«

S∗[6]⊕

rand[6]

ª®®®¬ ,©«

S∗[7]⊕

rand[7]

ª®®®¬S∗[8], S∗[9], S∗[10], S∗[11]

S∗[12], S∗[13], S∗[14], S∗[15]

(6)

After which, the values of Rmin ,Rmax ,HI , and Pr are set back to its original values; and the current cipher-state(S∗) is used as an input to pre-compute Pr number of rounds using S∗[12] as the counter (equation 7).

S∗ ← (S∗)(Pr ) (7)


R7i

≪16

� R7i+132⊕

32

≪12

R7i+2 �32 ⊕

≪8

� R7i+332⊕

≪7

� ⊕R7i+4

≪16

⊕

≪12

�R7i+632

� R7i+532

⊕

≪8

� R7i32⊕

≪7

rand [i]

32

Fig. 3. Generation of rand [i], where i ∈ [0, 7] (the size of variables are in bits)

From now on, the new cipher-state (S∗) will be used as an input to generate the key-stream for encryption. It is to benoted that since Pr rounds have been pre-computed, for encrypting the ith block of a message, only (Ri − Pr ) roundsare required.

3.3 Encryption

As described earlier in section 3.2, for initialization, Freestyle uses plain CTR mode of operation for the first Ih blocks.However for encryption, Freestyle uses non-deterministic CTR mode (figure 4). Here, we introduce the concept ofnon-deterministic CTR mode of operation: in this mode, the counter is XOR-ed with a secret random number (R) that isindependent of the key, nonce ,messaдe , and pepper (unlike randomized-CTR mode where the bytes used to modifythe counter is derived from the key and/or nonce). The non-deterministic CTR mode offers two main benefits: (i) iteliminates the need for setting the initial value for the counter ; and (ii) the counters are now chosen from a secretrandom permutation of the set [0, 2Nb ), that is independent of the key, nonce ,messaдe , and pepper .


encrypt

(counter � 0)⊕R

ciphertext0

key, nonce

plaintext0

encrypt

(counter � 1)⊕R

ciphertext1

key, nonce

plaintext1

· · · · · · encrypt

(counter � n)⊕R

ciphertextn

key, nonce

plaintextn

Fig. 4. Non-deterministic CTR mode of operation, where the counter is XOR-ed with a random number (R) that is independent ofthe key , nonce ,messaдe , and pepper . In case of Freestyle, counter is S (4)[12] and R is rand [0].

In Freestyle, the random number (R) to be XOR-ed with the counter (i.e. S∗[12]) is rand[0]. The rationale behindchoosing rand[0] to be XOR-ed with the counter is: the minimum possible value of Ih is 7, which can only generatea 32-bit random number i.e. rand[0]. The values of rand[i],∀i ∈ [1, 7] will be 0 in this case. Hence, in the worst-casescenario, the counters are always random and unknown to an adversary.Remark 3 The non-deterministic CTR mode may appear similar to key-whitening technique. However, in the non-deterministic CTR mode, the counter is XOR-ed with a random number independent of the key, nonce,pepper , or themessaдe . And the random number is likely to change for each initialization even if key, nonce , pepper , andmessaдe arereused. Also, unlike key-whitening schemes, non-deterministic CTR mode in Freestyle does not require extra key bitsto resist key-guessing attacks. ■

Using the S∗ from the equation 7, the key-stream for a block of plaintext is computed by running random numberof round (Ri − Pr ) on S∗. The S∗i is then added to S∗ to generate the keystream (equation 9). The keystream is then isXOR-ed with a block of plaintext to generate a block of ciphertext. For a given ith block of a message, ∀i ∈ [0,Nb ) theciphertext is generated as shown in equations 8,9, and 10.

S∗i = (S∗)(Ri−Pr ) (8)

keystreami = S∗i ⊞ S∗ (9)

ciphertexti = plaintexti ⊕ keystreami (10)

Where Ri = random(Rmin ,Rmax ),∀i ∈ [0,Nb ); and Nb is the total number of blocks in a message.

3.4 Initialization for decryption

For initializing the cipher for decryption, the receiver like the sender first computes cipher-parameter (Cp ) and sets thefollowing temporary configuration:

Rmin = 8, Rmax = 32, HI = 1, and Pr = 4 (11)


and computes S(4) using the key and nonce . Then the receiver iterates pepper from 0 to (2Pb − 1) using equation 5,until Ih number of valid round numbers are found, corresponding to each of the received Ih number of hashes. Oncesuccessful, the receiver computes the 256-bit rand value using the valid round numbers: {R0,R1, ...,RIh−1}, as shownin figure 3.

Using the rand , the new cipher-state (S∗) is computed as shown in equation 6. The original values of Rmin ,Rmax ,HI ,

and Pr provided by the user are restored; and Pr number of rounds are pre-computed (equation 7).

3.5 Decryption

Similar to the encryption (section 3.3), non-deterministic CTR mode is used to decrypt all the blocks of message. And,key-stream is generated using S∗ (equations 8 and 9). The plaintext is generated by XOR-ing the ciphertext withkey-stream (equation 12).

plaintexti = ciphertexti ⊕ keystreami (12)

Similar to encryption, since Pr rounds have been pre-computed, for decrypting the ith block of a message, only(Ri − Pr ) rounds are required.

4 RESULTS AND DISCUSSIONS

4.1 Number of possible ciphertexts

For a givenmessaдe of length |messaдe | bits, themessaдe is divided into Nb =⌈|messaдe |

512

⌉blocks. Since, each block

can be encrypted with a random number (R) of rounds in the range [Rmin ,Rmax ]; the total number of ways a givenblock ofmessaдe can be encrypted using random number of rounds is denoted by Nr , given as:

Nr =Rmax − Rmin

дcd(Rmin ,Rmax )+ 1 (13)

And since all the Nb blocks of themessaдe use the Pb bits of pepper , and 32×Ih7 -bit rand as inputs; the total number

of possible ciphertexts are:

Nc = 2Pb × 2(327 ×Ih) × (Nr )

Nb (14)

From equation 14, as the number of pepper bits, number of initial hashes, or the number of blocks in amessaдe increases,the number of possible ciphertexts for a given key,messaдe , and nonce increases exponentially.

4.2 Resistance to cryptanalysis

This section presents some of the results on Freestyle’s resistance to cryptanalysis. Here we restrict our analysis to theadditional benefits offered by Freestyle; as ChaCha with 12 rounds is known to be secure [Choudhuri and Maitra 2016].And the detailed cryptanalysis of ChaCha can be found in [ch- 2017; Aumasson et al. 2008; Choudhuri and Maitra 2016;Ishiguro 2012; Maitra 2016; Procter 2014].

4.2.1 Cryptanalysis using the hash. Unlike a typical cryptographic hash function, Freestyle does not require highcollision-resistant hash function; the probability of 2−8 for collision is sufficient for its purpose. The hash functionhandles collisions by incrementing the hash till there is no collision (appendix E, line:46).


Freestyle’s hash function uses 128-bits of the cipher-state (S(R)), at least 6-bits of current round number (r ), and 8bits of previous hash (hash(r−HI )). Hence, to generate all possible partial cipher-states that may collide with a givenhash (figure 2) will require 2142 operations. Also, assuming the 8-bit hashes are equally spread over 256 buckets, thereare likely to be 2134 collisions.

The hash function uses Add-Rotate-XOR (ARX) operations, the same set of operations used by ChaCha/Freestyle’squarter-round (QR) (equation 1); hence are not sensitive to timing attacks by design.

4.2.2 Known-plaintext attacks (KPA), Chosen-plaintext attacks (CPA), and differential cryptanalysis. For a known orchosen plaintext, due to the random behavior of Freestyle, even if the nonce is controlled by the adversary, there are Nc

possible ciphertexts. Hence, the effort required in cryptanalysis using known plaintext, chosen plaintext, differentialanalysis increases Nc times.

4.2.3 Chosen-ciphertext attacks (CCA). In chosen-ciphertext attacks we consider two cases based on the adversary’sability to control the nonce .

(i) If nonce cannot be controlled by the adversary. To generate an arbitrary ciphertext, an adversary while initializingthe cipher (section 3.4) has to provide Ih valid hashes, and at least one valid hash for sending block(s) of ciphertext. As arandom round is chosen between [8,32] to initialize the rand (equation 13), there are only 25 valid hash values possiblefor a given block. Hence, at the time of decryption, the total possible hashes that can be accepted by the receiver for ablock of ciphertext is Nr =

(Rmax−Rmin

HI+ 1

). And as there are 256 possible values for hash, to send a valid ciphertext,

the adversary has to send (Ih + Nb ) valid hashes. By brute-force approach, the probability of such an event occurring is:

=

(25256

) Ih×

(Nr256

)Nb

<

2−23 for Ih = 7,

2−26 for Ih = 8,...

2−67 for Ih = 20,...

2−187 for Ih = 56

(15)

Assuming a constant time cryptographic implementation to check the validity of (Ih +Nb ) hashes, for Ih ≥ 20, it is hardin practice to generate an arbitrary ciphertext (CCA) that can be accepted by a receiver if nonce cannot be controlled bythe adversary.

(ii) If nonce can be controlled by the adversary. In this case, the adversary can launch CPA which can reveal (Ih + Nb )valid hashes. And, the adversary can replay them to make the receiver accept arbitrary ciphertext of Nb blocks.

In either of the two cases, after successfully sending a valid ciphertext, the adversary still has to guess the 128-bitrand (in case of Ih = 28). It is computationally infeasible to know which combination of key and rand the Ih hashesmap to.Remark 4 It must be noted that Freestyle’s hash function does not use plaintext/ciphertext as an input. Hence, cannotprevent ciphertext tampering. In practice, Freestyle like ChaCha must be used with a message authentication code(MAC) such as Poly1305 [Bernstein 2005b].


4.2.4 XOR of ciphertexts when key and nonce are reused. Let us consider two messaдes M1 and M2 which whenencrypted, produce ciphertexts C1 and C2. In the event of key and nonce being reused, in a deterministic stream cipher,C1 ⊕ C2 = M1 ⊕ M2. Whereas in Freestyle, for |M1 | and |M2 | ≥ loд2(Nc ):

Pr (C1 ⊕ C2 = M1 ⊕ M2) =1Nc

(16)

The equation 16 indicates that Freestyle is resistant to key re-installation attacks like KRACK [Vanhoef and Piessens2017]. Also, in existing approaches of ciphertext randomization, in case of key and nonce being reused, the randombytes that are shared with the receiver are prone to XOR attacks. However, such attacks are not possible in Freestyle, asonly hashes are sent to the receiver.

4.3 Resisting brute-force and dictionary attacks

Freestyle by design resists brute-force and dictionary attacks by: (i) Restricting pre-computation of stream, and (ii)Wasting adversary’s time and computational power.

4.3.1 Restricting pre-computation of key-stream. In ChaCha, the key-stream can be pre-computed for various keys ifnonce is known. Pre-computation of stream is advantageous for a genuine receiver, as there is no need to wait for themessage. However, for an adversary, pre-computation of streams with various keys is ideal to perform brute-force anddictionary attacks.

In Freestyle, since the key-stream depends on the rand and hash, the exact key-stream cannot be pre-computedunless the sender sends the entire expected hashes. This however, also restricts pre-computation of key-stream even fora genuine receiver.

4.3.2 Wasting adversary’s time and computational resources. For an adversary attempting key-guessing attack, duringthe cipher initialization, for a given attempt, after executing the Rmin rounds the attacker checks if the hash meets theexpected hash after every HI rounds. If the hash does not match, the attacker does not know if: (i) the key is wrong,or (ii) the pepper is wrong, or (iii) the number of rounds is wrong. The only way to confirm that the key or pepper iswrong is to execute until Rmax rounds and find that the computed hash does not match with the expected hash. Incase the hash matches for a round number in range [Rmin ,Rmax ], the attacker will execute more number of rounds tocompute the round number for the next block of message. This has to be performed until all the Ih number of validrounds are found. Thus, paying penalty for each brute-force attempt. To quantify the penalty an adversary has to payin terms of computational power, we introduce the Key-guessing penalty (KGP) metric.Definition : Key-guessing penalty (KGP) - The ratio of expected time taken to attempt decryption of amessaдe

using an incorrect key, and the expected time taken to decrypt amessaдe using the correct key (equation 17).

KGP = time(attempt decryption of amessaдe using an incorrect key)time(decrypt themessaдe using the correct key) (17)

KGP is the measure of a cipher’s resistance to brute-force and dictionary attacks. Based on KGP, a cipher can be classifiedin to two categories (i) Ciphers with KGP ≤ 1, which are not resistant to brute-force and dictionary attacks; and (ii)KGP > 1, ciphers that are brute-force and dictionary attack resistant. Ciphers with KGP > 1 are useful in scenarioswhere an adversary has higher computational power (e.g. a powerful multi-core laptop) than the victim’s system (e.g. a


low powered RFID/IoT device). Such ciphers forces the adversary to use a machine that is at least KGP times faster thanthe victim’s system to launch an effective attack.Remark 5 KGP > 1 is a bare minimum criteria necessary to for an algorithm to be brute-force resistant. In the latersections of the paper we will show that in Freestyle, KGP can be as high as 109. ■Remark 6 KGP > 1 may also be achieved by using delays and CAPTCHAs for each incorrect key attempt. However,this this not due to the property of the cipher itself. Also, such techniques are not useful in resisting offline brute-forceand dictionary attacks. ■

As mentioned in section 3.2, Freestyle uses pepper to achieve KGP > 1. If the sender uses a uniform (P)RNG togenerate the pepper value, the E[pepper ] will be 2(Pb−1); however, for an adversary, since the hashes are unlikely tomatch, would require 2Pb attempts in the worst-case scenario. Hence, the maximum KGP one can expect using auniform (P)RNG is 2. To improve KGP, the sender must use a right-skewed distribution which is kept secret and neednot be shared with the receiver. Not that a right-skewed (P)RNG is the one which tends to generate smaller values forpepper .Remark 7 Irrespective of the distribution used to generate the pepper and number of rounds for encryption/decryption,to generate the rand , a secure (P)RNG with uniform distribution must be used. ■

The probability of an 8-bit hash colliding at the nth trial when an incorrect key or pepper is used (denoted byPrn (X = 1)) is given as:

Prn (X = 1) =(n−1∏i=1

256 − i257 − i

)︸︷︷︸(n−1) failures

×

(1

257 − n

)︸︷︷︸1 success

(18)

Then, the expected number of rounds a user with an incorrect key or pepper will execute is denoted by E[R+] can becomputed as given in equation 19.

E[R+] ≈

Ih∑h=1

( Nr∑n=1

Prn (X = 1))h−1 [( Nr∑

n=1(Rmin + nHI ) × Prn (X = 1)

)+ Rmax ×

(1 −

Nr∑n=1

Prn (X = 1))]

(19)

E[R+] ≈ 34.2727 (20)

During the cipher initialization, for a correct key and pepper , the expected number of rounds a user will execute isE[R] = 20 (i.e. average of 8 and 32). After initialization, Rmin , Rmax , and HI are set to their original values, and whiledecryption, if the expected number of rounds a genuine user executes is denoted by E[R]. Then, the adversary executes2Pb × E[R+] rounds during the initialization. For an adversary, the probability of getting all Ih valid round numbers


10-2

10-1

100

101

102

103

104

105

106

100

101

102

103

104

105

106

KG

P

E[pepper]

Pb = 20

Message size in bytes2

6

27

28

29

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

10-1

100

101

102

103

104

105

106

107

100

101

102

103

104

105

106

107

KG

P

E[pepper]

Pb = 24


6

27

28

29

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

10-1

100

101

102

103

104

105

106

107

108

100

101

102

103

104

105

106

107

108

KG

P

E[pepper]

Pb = 28


6

27

28

29

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

100

102

104

106

108

100

101

102

103

104

105

106

107

108

109

KG

P

E[pepper]

Pb = 32


6

27

28

29

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

Fig. 5. KGP vs E[pepper ] for Rmin = 8, Rmax = 32, HI = 1, Ih = 7, E[R] = 20, Pb ∈ {20, 24, 28, 32}, and various message sizes (64bytes to 4GB).

from the Ih expected hashes, and attempting to decrypt the first block ofmessaдe using an incorrect key is:

=

( Nr∑n=1

Prn (X = 1)) Ih<

2−23 for Ih = 7,

2−26 for Ih = 8,...

2−67 for Ih = 20,...

2−187 for Ih = 56

(21)

which is very low for Ih ≥ 20. On the other hand, a genuine user executes E[pepper ] × E[R+] rounds during theinitialization, and Ih × E[R] rounds when using the correct pepper , and Nb × E[R] rounds to decrypt amessaдe of Nb

blocks. Then, the KGP using equation 17 is:

KGP ≈ 2Pb × E[R+]E[pepper ] × E[R+] + Ih × E[R] + Nb × E[R]

(22)


100

101

102

103

104

105

106

107

0 100 200 300 400 500 600 700 800 900 1000

Nu

mbe

r of

bru

te fo

rce

atte

mpts

per

se

cond

(m

edia

n o

f 1

01

run

s)

SamplesThreefish-256

ChaCha20Trivium

Speck-256-CTRRC4-256

Simon-256-CTRAES-256-CTR

Freestyle (Rmin = 8, Rmax = 32, Pb = 8, Ih = 7, Pr = 4)Freestyle (Rmin = 8, Rmax = 32, Pb = 12, Ih = 7, Pr = 4)Freestyle (Rmin = 8, Rmax = 32, Pb = 16, Ih = 7, Pr = 4)Freestyle (Rmin = 8, Rmax = 32, Pb = 20, Ih = 7, Pr = 4)

Fig. 6. Number of brute-force attempts possible for various ciphers on a single core of i5-6440HQ processor for a 64 byte message

The figure 5 shows the result of KGP vs. E[pepper ] for Rmin = 8,Rmax = 32, Ih = 7, E[R] = 20, Pb ∈ {20, 24, 28, 32},and for various message sizes 64 bytes to 4GB. The results indicate that KGP ∝ 1

|messaдe | ; and can be as large as 109 byusing a right-skewed probability distribution for generating the pepper value.

To demonstrate the effectiveness of the KGP, we compare the number of brute-force attempts per second possible ona single core of i5-6440HQ processor. The results (figure 6) indicate that Freestyle even with the lowest possible valuesof pepper bits (i.e. Pb = 8) and initial hashes (i.e. Ih = 7) outperforms most of the commonly used ciphers by a widemargin.

4.4 Better security for smaller keys

Though, not recommended, ChaCha supports 128-bit keys by concatenating the key with itself to form a 256-bitkey. In Freestyle, rand is used to modify the initial state of cipher to provide an additional 128-bit random secret (incase of Ih = 28). The rand is statistically independent of the key, nonce , pepper , andmessaдe (equation 3); hence, forapplications where 128-bit keys have to be used, Freestyle offers better security than ChaCha.

Also, some applications may have lower key-space due to poor (P)RNG. In such cases, Freestyle can resist up toloд2(KGP) bits of key being leaked. It is to be noted that the source of (P)RNG to generate key may be different fromthe (P)RNG available with the sender. Here we assume that the (P)RNG at the sender for generating pepper and initialIh round numbers are not leaked.


260

280

300

320

340

360

380

400

420

440

460

0 200000 400000 600000 800000 1x106

1.2x106

En

cry

ption s

pee

d in

MB

/se

con

d (

media

n o

f 1

01 s

am

ple

s)

Plaintext size in bytes

ChaCha20Freestyle (Rmin = 8, Rmax = 32, Pr = 4)

260

280

300

320

340

360

380

400

420

440

460

0 200000 400000 600000 800000 1x106

1.2x106

Decry

ptio

n s

pe

ed in M

B/s

econd

(m

edia

n o

f 1

01

sam

ple

s)

Ciphertext size in bytes

ChaCha20Freestyle (Rmin = 8, Rmax = 32, Pr = 4)

Fig. 7. Performance comparison of Freestyle vs. ChaCha20 on a single core of Intel i5-6440HQ processor using randen andarc4random() as the PRNG. Note that the result does not account for the time taken for cipher initialization.

4.5 Overheads

4.5.1 Computational overhead. Freestyle has twomain overheadswhen compared to ChaCha: (i) Overhead in generatinga random number for each block ofmessaдe; (ii) Computation of a hash after every HI rounds, which uses 1 quarterrounds of Freestyle. Hence for encryption the computational overhead is:

= time(to generate Nb random numbers) +Nb∑i=1

(Ri − Rmin

HI+ 1

)× time(1 QR of Freestyle) (23)

Note that the equation 23 does not account for the time taken for cipher initialization. And the worst case performanceoverhead is when Ri = Rmax ,∀i . The figure 7 shows the comparison of performance between optimized versionsof Freestyle and ChaCha201 and Freestyle2 with various configurations, without accounting for the time taken forinitialization. The results were obtained by running the benchmarks on a single core of Intel i5-6440HQ processor usingarc4random[De Raadt 2014] (during cipher initialization) and randen[Wassenberg et al. 2018]3 (during encryption)and as the CPRNG. For the performance comparison test, Rmin = 8, Rmax = 32 has been used to make the cipherperformance comparable to ChaCha20, as an uniformly distributed random number generator is used. The resultsindicate that Freestyle could be 1.13 to 1.60 times slower than ChaCha20 (figure 7). The difference between the

1http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/chacha.c?rev=1.12https://github.com/arun-babu/freestyle/tree/master/optimized/8-323https://github.com/jedisct1/randen-rng

http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/chacha.c?rev=1.1

https://github.com/arun-babu/freestyle/tree/master/optimized/8-32

https://github.com/jedisct1/randen-rng


performance of encryption and decryption in Freestyle (figure 7) is mostly due to the delay in generating a randomround number during encryption.

4.5.2 Bandwidth overhead. Freestyle algorithm requires a sender to send the final round’s 8-bit hash; i.e. requiring tosend extra 8 bits for each block ofmessaдe to be sent. Also, for initialization of rand , it requires extra 8 × Ih bits. Hence,the total bandwidth overhead in bits is (8Ih + 8Nb ), i.e.

Bandwidth overhead (in %) = 800 × (Ih + Nb )

|messaдe |≈ 1.5625% (for a block of message) (24)

5 RELATEDWORK

5.1 Randomized encryption schemes

Use of randomized encryption schemes have been in practice for many years, and a taxonomy of randomized ciphers ispresented in [Rivest and Sherman 1983]. Also, some approaches to randomized encryption for public-key cryptographywas proposed in [Cramer and Shoup 1998; ElGamal 1985; Goldwasser and Micali 1984]. Approaches based on chaoticsystems for probabilistic encryption were also proposed [Papadimitriou et al. 2001]. However, the main concern withsome of the existing approaches are high bandwidth expansion factor and computational overhead [Li et al. 2003; Rivestand Sherman 1983].

One of the approaches in practice is to generate random bytes and sending it in the encrypted form. The randombytes along with the key will be used for encryption/decryption [Rivest and Sherman 1983]. Though such approachesare capable of generating large number of ciphertexts for a givenmessaдe and a key; they do not provide the possibilityof KGP > 1. Also, for stream-ciphers, if the key and nonce are reused, there is a possibility of cryptanalysis by XOR-ingciphertexts. Also, in Freestyle, the random bytes are never sent to the receiver in plain nor in the encrypted form. Therandom bytes must be computed by the receiver from the initial Ih hashes. The initial Ih hashes also serve the purposeof preventing an adversary from sending arbitrary ciphertext, thus resisting CCA if the nonce cannot be controlled bythe adversary. Also, Freestyle offers the possibility of generating up to 2256 different ciphertexts even if key, nonce , andother cipher parameters are reused. Also unlike some of the existing randomized ciphers, Freestyle has a low bandwidthoverhead of ≈ 1.5625%.

5.2 Approaches based on difficulty and proof of work

Several algorithms have been proposed in literature to increase the difficulty in key and password guessing using anCPU intensive key-streaching[Kelsey et al. 1997] or key-setup phase [Provos and Mazieres 1999] using a cost-factor.Also approaches that consume large amount of memory have also been proposed [Forler et al. 2013; Percival andJosefsson 2016]. Another related area is use of client puzzles [Boyen 2007] and proof-of-work (e.g. Bitcoin [Nakamoto2008]) to delay cryptographic operations.

The hash based halting condition described in section 3, on a high-level uses similar principle as the Halting KeyDerivation Function (HKDF) proposed in [Boyen 2007]. In HKDF, a sender with a password and random bytes, uses thekey derivation function till n iterations (or based on certain amount of time) to generate a key and a publicly verifiablehash. On the other hand, the receiver uses the random bytes and password to generate the key till the verifiable hashmatches.

Our approach however differs from [Boyen 2007] in the following ways: (i) The minimum and maximum number ofiterations is explicitly defined and is expected to be public. This step is crucial as it ensures a minimum level of security


for genuine user during encryption/decryption. It also ensures that an adversary executes at least the minimum numberof iterations. The maximum iterations ensures that a genuine user cannot run more than specified iterations; thuspreventing the possibility of DoS attacks or getting stuck in an infinite loop due to human errors; (ii) Freestyle does notrequire a complex collision resistant hash function, as hash collisions are handled simply incrementing the hash if acollision occurs. Also, the hash function uses ARX instructions to resist any side-channel cryptanalysis; (iii) In Freestyle,the security of the cipher is not dependent on amount of time taken or number of iterations for cipher initialization, buton the length of pepper bits; (iv) Freestyle uses Ih number of 8-bit hashes for initialization and an 8-bit hash for everyblock of message being sent, thus the total size of hash is not fixed and is ∝ |messaдe |; (v) Freestyle does not requirehash computation at every iteration, instead a hash interval (HI ) parameter is used to determine round intervals atwhich hash must be computed, thus offering flexibility to adjust performance and security; and (vi) Freestyle forcesthe cipher initialization with Rmin = 8 and Rmax = 32, thus ensures enough randomness even in cases where userprovides insecure parameters for cipher initialization; and (vii) Freestyle offers the possibility of much higher KGP byallowing the sender to choose a right-skewed distribution to generate pepper and Ri .

5.3 Freestyle vs ChaCha

When compared to ChaCha, Freestyle offers better security for 128-bit keys (section 4.4). It also provides the possibilityof generating 2256 ciphertexts for a givenmessaдe even if nonce and key is reused (section 4.1). This makes Freestyleresistant to XOR of ciphertext attacks if key and nonce is reused. Randomization also makes Freestyle resistant to KPA,CPA, and CCA (section 4.2.2). Freestyle offers the possibility of KGP > 1, which makes it resistant to brute-force anddictionary based attacks (section 4.3). Also, due to the KGP, Freestyle can resist against attacks which can leak uptoloд2(KGP) key bits. In ChaCha20, S(0) is added with S(20) to generate keystream; which would leak the values of S(20)[i],for i ∈ {0, 1, 2, 3, 12, 13, 14, 15} in case of CPA or CCA attacks. Although, there are no known attacks yet to extract anykey bits from the above leaked values; Freestyle is not prone to such leaks as none of the elements of S∗ in equation 8 isknown to an adversary.

On the other hand, Freestyle was found to be 1.13 to 1.60 times slower than ChaCha20 (section 4.5), and also has ahigher cost of initialization (sections 3.2, 3.4). In terms of bandwidth overhead, Freestyle generates ≈ 1.5625% largerciphertext. In implementation overhead, Freestyle’s encryption and decryption logic differ slightly. ChaCha is a simpleconstant time algorithm, where as Freestyle is a randomized algorithm and adds complexity to make cryptanalysisdifficult in practice. Finally, Freestyle assumes that the sender has a cryptographically secure PRNG.

6 CONCLUSION

In this paper we have introduced Freestyle, a novel randomized cipher capable of generating up to 2256 differentciphertexts for a given key, nonce , andmessaдe; making known-plaintext (KPA), chosen-plaintext(CPA) and chosen-ciphertext (CCA) attacks difficult in practice. We have introduced the concepts of bounded hash based halting condition

and key-guessing penalty (KGP), which are helpful in development and analysis of ciphers resistant to key-guessingattacks. Freestyle has demonstrated KGP > 1 which makes it run faster on a low-powered machine having the correctkey, and is KGP times slower (with high probability) on an adversary’s machine. Freestyle is ideal for applications wherethe ciphertext is assumed to be in full control of the adversary i.e. where an offline brute-force or dictionary attack canbe carried out. Example use-cases include disk encryption, encrypted databases, password managers, sensitive datain public facing IoT devices, etc. The paper has introduced a new class of ciphers having KGP > 1. There is furtherscope for research on other possible and simpler ways to achieve KGP > 1, and study the properties of such ciphers.


The possibility of forcing an adversary to solve a NP-hard problem for every decryption attempt with an incorrect keycould be an attractive topic of research. The key challenge however is to make the time taken for decryption attemptwith an incorrect key, greater than the time taken to detect if the problem is NP-hard.

REFERENCES2017. eBACS: ECRYPT Benchmarking of Cryptographic Systems. https://bench.cr.yp.to/results-stream.html Last accessed 10.5.2018.2017. Libsodium v1.0.12 and v1.0.13 Security Assessment. Technical Report. https://www.privateinternetaccess.com/blog/wp-

content/uploads/2017/08/libsodium.pdf.2017. Security Analysis of ChaCha20-Poly1305 AEAD. Technical Report. KDDI Research, Inc. CRYPTREC-EX-2601-2016,

http://www.cryptrec.go.jp/estimation/cryptrec-ex-2601-2016.pdf.2017. Vulnerability Note VU#307015, Infineon RSA library does not properly generate RSA key pairs. CVE-2017-15361,

https://www.kb.cert.org/vuls/id/307015.David Adrian, Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry, Matthew Green, J Alex Halderman, Nadia Heninger, Drew Springall, Emmanuel

Thomé, Luke Valenta, et al. 2015. Imperfect forward secrecy: How Diffie-Hellman fails in practice. In Proceedings of the 22nd ACM SIGSAC Conferenceon Computer and Communications Security. ACM, 5–17.

Giovanni Agosta, Alessandro Barenghi, and Gerardo Pelosi. 2013. High speed cipher cracking: the case of Keeloq on CUDA. (2013).Jean-Philippe Aumasson, Simon Fischer, Shahram Khazaei, Willi Meier, and Christian Rechberger. 2008. New features of Latin dances: analysis of Salsa,

ChaCha, and Rumba. In International Workshop on Fast Software Encryption. Springer, 470–488.Luciano Bello, Maximiliano Bertacchini, and Black Hat. 2008. Predictable PRNG in the vulnerable Debian OpenSSL package: the what and the how. In the

2nd DEF CON Hacking Conference.Daniel J Bernstein. 2005a. Salsa20 specification. eSTREAM Project algorithm description, http://www. ecrypt. eu. org/stream/salsa20pf. html (2005).Daniel J Bernstein. 2005b. The Poly1305-AES Message-Authentication Code.. In FSE, Vol. 3557. Springer, 32–49.Daniel J Bernstein. 2008a. ChaCha, a variant of Salsa20. In Workshop Record of SASC, Vol. 8. 3–5.Daniel J Bernstein. 2008b. The Salsa20 family of stream ciphers. Lecture Notes in Computer Science 4986 (2008), 84–97.Benjamin Beurdouche, Karthikeyan Bhargavan, Antoine Delignat-Lavaud, Cédric Fournet, Markulf Kohlweiss, Alfredo Pironti, Pierre-Yves Strub, and

Jean Karim Zinzindohoue. 2015. A messy state of the union: Taming the composite state machines of TLS. In Security and Privacy (SP), 2015 IEEESymposium on. IEEE, 535–552.

Xavier Boyen. 2007. Halting password puzzles. In Proc. Usenix Security.William Buchanan. 2015. When Slow Is Good - The Great Slowcoach: Bcrypt. https://www.linkedin.com/pulse/when-slow-good-great-slowcoach-bcrypt-

william-buchanan.Elie Bursztein. 2014. Speeding up and strengthening HTTPS connections for Chrome on Android. Google security blog,

https://security.googleblog.com/2014/04/speeding-up-and-strengthening-https.html.Vincent Chiriaco, Aubrey Franzen, Rebecca Thayil, and Xiaowen Zhang. 2017. Finding partial hash collisions by brute force parallel programming. In

Systems, Applications and Technology Conference (LISAT), 2017 IEEE Long Island. IEEE, 1–6.Arka Rai Choudhuri and Subhamoy Maitra. 2016. Differential Cryptanalysis of Salsa and ChaCha-An Evaluation with a Hybrid Model. IACR Cryptology

ePrint Archive 2016 (2016), 377.Ronald Cramer and Victor Shoup. 1998. A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In Annual

International Cryptology Conference. Springer, 13–25.Theo De Raadt. 2014. arc4random - randomization for all occasions. http://www.openbsd.org/papers/hackfest2014-arc4random/index.htmlF Denis. 2018. The XChaCha20-Poly1305 construction. https://download.libsodium.org/doc/secret-key_cryptography/xchacha20-

poly1305_construction.html.Taher ElGamal. 1985. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE transactions on information theory 31, 4

(1985), 469–472.Christian Forler, Stefan Lucks, and Jakob Wenzel. 2013. Catena: A memory-consuming password-scrambling framework. Technical Report. Citeseer.Shafi Goldwasser and Silvio Micali. 1984. Probabilistic encryption. Journal of computer and system sciences 28, 2 (1984), 270–299.Weikai Gu, Yingzhen Huang, Rongxin Qian, Zheyuan Liu, and Rongjie Gu. 2017. Attacking Crypto-1 Cipher Based on Parallel Computing Using GPU. In

International Conference on Applications and Techniques in Cyber Security and Intelligence. Springer, 293–303.Frank K Gürkaynak, Robert Schilling, Michael Muehlberghuber, Francesco Conti, Stefan Mangard, and Luca Benini. 2017. Multi-core data analytics SoC

with a flexible 1.76 Gbit/s AES-XTS cryptographic accelerator in 65 nm CMOS. In Proceedings of the Fourth Workshop on Cryptography and Security inComputing Systems. ACM, 19–24.

Nadia Heninger, Zakir Durumeric, Eric Wustrow, and J Alex Halderman. 2012. Mining Your Ps and Qs: Detection of Widespread Weak Keys in NetworkDevices.. In USENIX Security Symposium, Vol. 8.

Tsukasa Ishiguro. 2012. Modified version of" Latin Dances Revisited: New Analytic Results of Salsa20 and ChaCha". IACR Cryptology ePrint Archive 2012(2012), 65.

http://www.openbsd.org/papers/hackfest2014-arc4random/index.html


Shubham Jain, Ashish Ranjan, Kaushik Roy, and Anand Raghunathan. 2017. Computing in Memory with Spin-Transfer Torque Magnetic RAM. arXivpreprint arXiv:1703.02118 (2017).

Khalid Javeed, Xiaojun Wang, and Mike Scott. 2016. High performance hardware support for elliptic curve cryptography over general prime field.Microprocessors and Microsystems (2016).

Gershon Kedem and Yuriko Ishihara. 1999. Brute force attack on UNIX passwords with SIMD computer. (1999).John Kelsey, Bruce Schneier, Chris Hall, and David Wagner. 1997. Secure applications of low-entropy keys. In International Workshop on Information

Security. Springer, 121–134.Ayesha Khalid, Goutam Paul, and Anupam Chattopadhyay. 2017. RC4-AccSuite: A Hardware Acceleration Suite for RC4-Like Stream Ciphers. IEEE

Transactions on Very Large Scale Integration (VLSI) Systems 25, 3 (2017), 1072–1084.Soo Hyeon Kim, Daewan Han, and Dong Hoon Lee. 2013. Predictability of Android OpenSSL’s pseudo random number generator. In Proceedings of the

2013 ACM SIGSAC conference on Computer & communications security. ACM, 659–668.Wonjoo Kim, Anupam Chattopadhyay, Anne Siemon, Eike Linn, Rainer Waser, and Vikas Rana. 2016. Multistate memristive tantalum oxide devices for

ternary arithmetic. Scientific reports 6 (2016).A Langley, W Chang, N Mavrogiannopoulos, J Strombergson, and S Josefsson. 2016. ChaCha20-Poly1305 cipher suites for transport layer security (TLS).

Technical Report.Arjen Lenstra, James P Hughes, Maxime Augier, Joppe Willem Bos, Thorsten Kleinjung, and Christophe Wachter. 2012. Ron was wrong, Whit is right.

Technical Report. IACR.Shujun Li, Xuanqin Mou, Boliya L Yang, Zhen Ji, and Jihong Zhang. 2003. Problems with a probabilistic encryption scheme based on chaotic systems.

International Journal of Bifurcation and Chaos 13, 10 (2003), 3063–3077.Zhe Liu, Johann Großschädl, Zhi Hu, Kimmo Järvinen, Husen Wang, and Ingrid Verbauwhede. 2017. Elliptic curve cryptography with efficiently

computable endomorphisms and its hardware implementations for the internet of things. IEEE Trans. Comput. 66, 5 (2017), 773–785.Eduardo Novella Lorente, Carlo Meijer, and Roel Verdult. 2015. Scrutinizing WPA2 Password Generating Algorithms in Wireless Routers.. In WOOT.Subhamoy Maitra. 2016. Chosen IV cryptanalysis on reduced round ChaCha and Salsa. Discrete Applied Mathematics 208 (2016), 88–97.Katja Malvoni, Designer Solar, and Josip Knezović. 2014. Are your passwords safe: Energy-efficient bcrypt cracking with low-cost parallel hardware. In

WOOT’14 8th Usenix Workshop on Offensive Technologies Proceedings 23rd USENIX Security Symposium.DamienMiller. 2018. chacha20poly1305 protocol. https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL.chacha20poly1305?annotate=HEAD,

Last accessed 1.12.2018.Damien Miller and S Josefsson. 2018. The [email protected] authenticated encryption cipher draft-josefsson-ssh-chacha20-poly1305-

openssh-00. Network Working Group Internet-Draft, https://tools.ietf.org/html/draft-josefsson-ssh-chacha20-poly1305-openssh-00, Last accessed1.12.2018.

Satoshi Nakamoto. 2008. Bitcoin: A peer-to-peer electronic cash system. (2008).Yoav Nir and Adam Langley. 2015. ChaCha20 and Poly1305 for IETF Protocols. Technical Report.Stergios Papadimitriou, Tassos Bountis, Seferina Mavroudi, and Anastasios Bezerianos. 2001. A probabilistic symmetric encryption scheme for very fast

secure communication based on chaotic systems of difference equations. International Journal of Bifurcation and Chaos 11, 12 (2001), 3107–3115.Colin Percival and Simon Josefsson. 2016. The scrypt password-based key derivation function. Technical Report.Gordon Procter. 2014. A Security Analysis of the Composition of ChaCha20 and Poly1305. IACR Cryptology ePrint Archive 2014 (2014), 613.Niels Provos and David Mazieres. 1999. Bcrypt algorithm. USENIX.Dayane Reis, Michael Niemier, and X Sharon Hu. 2018. Computing in memory with FeFETs. In Proceedings of the International Symposium on Low Power

Electronics and Design. ACM, 24.Ronald L Rivest and Alan T Sherman. 1983. Randomized encryption techniques. In Advances in Cryptology. Springer, 145–163.Andrew Ruddick and Jeff Yan. 2016. Acceleration attacks on PBKDF2: or, what is inside the black-box of oclHashcat?. In WOOT.Abu Sebastian, Tomas Tuma, Nikolaos Papandreou, Manuel Le Gallo, Lukas Kull, Thomas Parnell, and Evangelos Eleftheriou. 2017. Temporal correlation

detection using computational phase-change memory. Nature Communications (2017). https://doi.org/10.1038/s41467-017-01481-9Mathy Vanhoef and Frank Piessens. 2017. Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2. In Proceedings of the 24th ACM Conference on

Computer and Communications Security (CCS). ACM.Andrea Visconti, Simone Bossi, Hany Ragab, and Alexandro Calò. 2015. On the weaknesses of PBKDF2. In International Conference on Cryptology and

Network Security. Springer, 119–126.Jan Wassenberg, Robert Obryk, Jyrki Alakuijala, and Emmanuel Mogenet. 2018. Randen-fast backtracking-resistant random generator with AES+ Feistel+

Reverie. arXiv preprint arXiv:1810.02227 (2018).Friedrich Wiemer and Ralf Zimmermann. 2014. High-speed implementation of bcrypt password search using special-purpose hardware. In ReConFigurable

Computing and FPGAs (ReConFig), 2014 International Conference on. IEEE, 1–6.Scott Yilek, Eric Rescorla, Hovav Shacham, Brandon Enright, and Stefan Savage. 2009. When private keys are public: Results from the 2008 Debian

OpenSSL vulnerability. In Proceedings of the 9th ACM SIGCOMM conference on Internet measurement conference. ACM, 15–27.T Ylonen and C Lonvick. 2006. The secure shell (ssh) transport layer protocol, rfc 4253.

https://doi.org/10.1038/s41467-017-01481-9


Appendix A REFERENCE CODE - FREESTYLE HASH FUNCTION

1#define AXR(a,b,c,r) {a = PLUS(a,b); c = ROTATE(XOR(c,a),r);}

23u8 freestyle_hash (

4const u32 cipher_state [16],

5const u8 previous_hash ,

6const u8 rounds)

7{

8u8 hash;

910u32 temp1 = rounds;

11u32 temp2 = previous_hash;

1213AXR (temp1 , cipher_state[ 3], temp2 , 16);



16AXR (temp2 , cipher_state [12], temp1 , 7);

1718hash = temp1 & 0xFF;

1920return hash;

21}

Appendix B REFERENCE CODE - INITIALIZATION FOR ENCRYPTION

1#define MAX_INIT_HASHES (56)

23void freestyle_randomsetup_encrypt (freestyle_ctx *x)

4{

5u32 i;

67u8 R [MAX_INIT_HASHES ]; /* actual random rounds */

8u8 CR[MAX_INIT_HASHES ]; /* collided random rounds */

910u32 temp1;

11u32 temp2;

1213const u32 saved_min_rounds = x->min_rounds;

14const u32 saved_max_rounds = x->max_rounds;

15const u32 saved_hash_interval = x->hash_interval;

16const u8 saved_num_precomputed_rounds = x->num_precomputed_rounds;

17


18u32 p;

1920if (! x->is_pepper_set)

21{

22x->pepper = arc4random_uniform (

23x->pepper_bits == 32 ? -1 : (1 << x->pepper_bits)

24);

25}

2627/* set sane values for initalization */

28x->min_rounds = 8;

29x->max_rounds = 32;

30x->hash_interval = 1;

31x->num_precomputed_rounds = 4;

3233for (i = 0; i < MAX_INIT_HASHES; ++i) {

34R [i] = CR[i] = 0;

35}

3637/* initial pre -computed rounds */

38freestyle_precompute_rounds(x);

3940/* add a random/user -set pepper to constant [0] */

41x->input[CONSTANT0] = PLUS(x->input[CONSTANT0], x->pepper );

4243for (i = 0; i < x->num_init_hashes; ++i)

44{

45R[i] = freestyle_encrypt_block (

46x,

47NULL ,

48NULL ,

490,

50&x->init_hash [i]

51);

5253freestyle_increment_counter (x);

54}

5556if (! x->is_pepper_set)

57{

58/* set constant [0] back to its previous value */


59x->input[CONSTANT0] = MINUS(x->input[CONSTANT0], x->pepper );

6061/* check for any collisions between 0 and pepper */

62for (p = 0; p < x->pepper; ++p)

63{

64x->input[COUNTER] = x->initial_counter;


67{

68CR[i] = freestyle_decrypt_block (

69x,

70NULL ,

71NULL ,

720,

73&x->init_hash [i]

74);

7576if (CR[i] == 0) {

77goto retry;

78}

7980freestyle_increment_counter(x);

81}

8283/* found a collision; use the collided rounds */

84memcpy(R, CR, sizeof(R));

85break;

8687retry:

88x->input[CONSTANT0] = PLUSONE(x->input[CONSTANT0 ]);

89}

90}

9192for (i = 0; i < 8; ++i)

93{

94temp1 = 0;

95temp2 = 0;

9697AXR (temp1 , R[7*i + 0], temp2 , 16);

98AXR (temp2 , R[7*i + 1], temp1 , 12);

99AXR (temp1 , R[7*i + 2], temp2 , 8);


100AXR (temp2 , R[7*i + 3], temp1 , 7);

101102AXR (temp1 , R[7*i + 4], temp2 , 16);

103AXR (temp2 , R[7*i + 5], temp1 , 12);

104AXR (temp1 , R[7*i + 6], temp2 , 8);

105AXR (temp2 , R[7*i + 0], temp1 , 7);

106107x->rand[i] = temp1;

108}

109110/* set user parameters back */

111x->min_rounds = saved_min_rounds;

112x->max_rounds = saved_max_rounds;

113x->hash_interval = saved_hash_interval;

114x->num_precomputed_rounds = saved_num_precomputed_rounds;

115116/* set counter to the value that was after pre -computed rounds */


118119/* modify constant [1], constant [2], and constant [3] */

120x->input[CONSTANT1] ^= x->rand [1];



123124/* modify key[0], key[1], key[2], and key[3] */

125x->input[KEY0] ^= x->rand [4];




129130/* Do pre -computation as specified by the user */


132}

Appendix C REFERENCE CODE - INITIALIZATION FOR DECRYPTION

1void freestyle_randomsetup_decrypt (freestyle_ctx *x)

2{

3u32 i;

45u8 R [MAX_INIT_HASHES ]; /* random rounds */

6


7u32 temp1;

8u32 temp2;

910const u8 saved_min_rounds = x->min_rounds;

11const u8 saved_max_rounds = x->max_rounds;

12const u8 saved_hash_interval = x->hash_interval;

13const u8 saved_num_precomputed_rounds = x->num_precomputed_rounds;

1415u32 pepper;

1617u32 max_pepper = x->pepper_bits == 32 ?

18UINT32_MAX : (u32) ((1 << x->pepper_bits) - 1);

1920/* set sane values for initalization */

21x->min_rounds = 8;

22x->max_rounds = 32;

23x->hash_interval = 1;

24x->num_precomputed_rounds = 4;

2526for (i = 0; i < MAX_INIT_HASHES; ++i) {

27R[i] = 0;

28}

2930/* initial pre -computed rounds */


3233/* if initial pepper is set , then add it to constant [3] */

34x->input [CONSTANT0] = PLUS(x->input[CONSTANT0], x->pepper );

3536for (pepper = x->pepper; pepper <= max_pepper; ++ pepper)

37{



41{

42R[i] = freestyle_decrypt_block (

43x,

44NULL ,

45NULL ,

460,

47&x->init_hash [i]


48);

4950if (R[i] == 0) {

51goto retry;

52}

5354freestyle_increment_counter (x);

55}

5657/* found all valid R[i]s */

58break;

5960retry:

61x->input[CONSTANT0] = PLUSONE(x->input[CONSTANT0 ]);

62}

6364for (i = 0; i < 8; ++i)

65{

66temp1 = 0;

67temp2 = 0;

6869AXR (temp1 , R[7*i + 0], temp2 , 16);

70AXR (temp2 , R[7*i + 1], temp1 , 12);

71AXR (temp1 , R[7*i + 2], temp2 , 8);

72AXR (temp2 , R[7*i + 3], temp1 , 7);

7374AXR (temp1 , R[7*i + 4], temp2 , 16);

75AXR (temp2 , R[7*i + 5], temp1 , 12);

76AXR (temp1 , R[7*i + 6], temp2 , 8);

77AXR (temp2 , R[7*i + 0], temp1 , 7);

7879x->rand[i] = temp1;

80}

8182/* set user parameters back */

83x->min_rounds = saved_min_rounds;

84x->max_rounds = saved_max_rounds;

85x->hash_interval = saved_hash_interval;

86x->num_precomputed_rounds = saved_num_precomputed_rounds;

8788/* set counter to the value that was after pre -computed rounds */



9091/* modify constant [1], constant [2], and constant [3] */




9596/* modify key[0], key[1], key[2], and key[3] */





101102/* Do pre -computation as specified by the user */


104}

Appendix D REFERENCE CODE - ENCRYPTION AND DECRYPTION

1#define freestyle_encrypt (...) freestyle_xcrypt(__VA_ARGS__ ,true)

2#define freestyle_decrypt (...) freestyle_xcrypt(__VA_ARGS__ ,false)

34int freestyle_xcrypt (

5freestyle_ctx *x,

6const u8 *plaintext ,

7u8 *ciphertext ,

8u32 bytes ,

9u8 *hash ,

10const bool do_encryption)

11{

12u32 i = 0;

13u32 block = 0;

1415while (bytes > 0)

16{

17u8 bytes_to_process = bytes >= 64 ? 64 : bytes;

1819u32 num_rounds = freestyle_xcrypt_block (

20x,

21plaintext + i,

22ciphertext + i,

23bytes_to_process ,


24&hash [block],

25do_encryption

26);

2728if (num_rounds < x->min_rounds) {

29return -1;

30}

3132i += bytes_to_process;

33bytes -= bytes_to_process;

3435++block;

3637freestyle_increment_counter(x);

38}

39return 0;

40}

Appendix E REFERENCE CODE - ENCRYPT OR DECRYPT A BLOCK OF MESSAGE

1#define MAX_HASH_VALUES (256)

23u8 freestyle_xcrypt_block (

4freestyle_ctx *x,

5const u8 *plaintext ,

6u8 *ciphertext ,

7u8 bytes ,

8u8 *expected_hash ,

9const bool do_encryption)

10{

11u32 i;

1213u8 hash = 0;

1415u32 output [16];

1617bool init = (plaintext == NULL) || (ciphertext == NULL);

1819u8 r;

20u8 rounds = do_encryption ? freestyle_random_round_number (x): x->max_rounds;

2122bool do_decryption = ! do_encryption;


2324bool hash_collided [MAX_HASH_VALUES ];

2526memset (hash_collided , false , sizeof(hash_collided ));

2728for (i = 0; i < 16; ++i) {

29output [i] = x->input [i];

30}

3132/* modify counter */

33output[COUNTER] ^= x->rand [0];

3435for (r = x->num_precomputed_rounds + 1; r <= rounds; ++r)

36{

37if (r & 1)

38freestyle_column_round (output );

39else

40freestyle_diagonal_round (output );

4142if (r >= x->min_rounds && r % x->hash_interval == 0)

43{

44hash = freestyle_hash (x,output ,hash ,r);

4546while (hash_collided [hash]) {

47++hash;

48}

4950hash_collided [hash] = true;

5152if (do_decryption && hash == *expected_hash) {

53break;

54}

55}

56}

5758if (do_encryption)

59*expected_hash = hash;

60else

61if (r > x->max_rounds)

62return 0;

63


64if (! init)

65{

66u8 keystream [64];

6768for (i = 0; i < 16; ++i)

69{

70output[i] = PLUS(output[i], x->input[i]);

71U32TO8_LITTLE (keystream + 4 * i, output[i]);

72}

7374for (i = 0; i < bytes; ++i) {

75ciphertext [i] = plaintext[i] ^ keystream[i];

76}

77}

7879return do_encryption ? rounds : r;

80}

Freestyle, a randomized version of ChaCha for …Freestyle, a randomized version of ChaCha for...

Documents

Transcript of Freestyle, a randomized version of ChaCha for …Freestyle, a randomized version of ChaCha for...